Toward global Interoperable Identity Management

Transcription

1 ITU-T Joint Meeting on the IdM Focus Group Reports Toward global Interoperable Identity Management Anthony-Michael Rutkowski Vice-President, VeriSign Chair, ITU-T IdM FG Requirements WG Geneva, September 2007 Union V0.9, 7 Sep 2007

2 Focus Group Products Reference materials Ecosystem Lexicon Existing legal & regulatory compendium, including privacy Use cases, platforms, gaps Requirements structure and provisions, including privacy related deliverables Draft framework(s) Union 2

3 Largely Network Centric Union 3

4 Requirements for Global Interoperable IdM: the Seven Pillars People Organizations Objects, Sensors and Control System s Union 4

5 Requesting/ Asserting Entity IDM Model Identity Assertion Relying Party Entity Query(ies) to Identity Resources Identity Provider(s) Relying Party is most often the service provider or network operator which may also be an Identity Provider Response Response IDM Plane Management Functions Identity Management Applications Service Stratum Transport Stratum Identity Model Based Interoperability Union 5

6 16 requirements/recommendations concerning support for identified entities below 21 requirements/recommendations applicable to IdPs for credential, identifier, attribute, pattern and assurance services Especially important Interoperable protocols, including objects Assurance/confidence metrics Delegation Lifecycle management Improved identity proofing and discovery for public network identifiers in hierarchical assignment identifier structures End-User Entities (Requesting/Asserting Identities) Real persons Legal persons Institutions Organizations Guardians/agents Group Objects Physical Terminal devices Network equipment SIM or Smart Card Virtual Software Geospatial Content Relying Parties (Using asserted identities) Service or resource provider Alliances Identity Providers (to End-Users) Credential provider Identifier provider Attribute provider Pattern/reputation provider Discovery provider Identity Bridge provider Auditing or Policy Enforcement provider Federations Union 6

7 3 requirements and recommendations Especially important Global mechanisms for discovery of asserted forms of identity Determining source for authoritative identities Interfederation bridging capabilities Should include characteristics and policies of the interfaces, dynamic registration and deregistration of federation relationships, authentication, permissions, and attributes Provider business agreements and federation based policies Union 7

8 7 recommendations concerning platform interoperability Includes the use of federations and Identity Bridge providers by end users Important recommendations Support for authentication domains within alliances and federations Union 8

9 13 recommendations applicable to IdPs security of identity resources, including 4 specifically related to protection of personally identifiable information Important recommendations Support for non-repudiation of assertions Consider adopted global standards in ITU, ISO and other bodies for Identity Assurance and Authentication Dynamic establishment of time-limited trust mechanisms for transient and changed relationships Support for terminal device objects (e.g., SIM cards) Notification of compromised identity resources to affected parties Support for multi-factor authentication IdM identity proofing matching different authentication contexts, especially when requested Provide levels of identity protection, including support for relevant OECD privacy guidelines Provide end user transparency and notification capabilities relevant to protection of personally identifiable information Union 9

10 3 requirements/recommendations for auditing and compliance Especially important Support for use of auditing mechanisms and exchange of information about those mechanisms Recommended time-stamp accuracy Area where more work would occur in Phase II of the Focus Group Union 10

11 3 recommendations applicable to Useability, Scaleability, Performance, Reliability, Availability, Accounting, ization, and Disaster Recovery Important recommendation include support for accounting mechanisms Area where more work would occur in Phase II of the Focus Group Union 11

12 Implications for NGN and other developments Almost every ITU-T Study Group has new Identity Management action items arising from the requirements Unclear how to coordinate Significant WTSA 2008 implications Requirements are essential network/cyber security Requirements include changes to IdM administrative practices TSB IdM responsibilities and ITU organs are similarly implicated including responding to global IdM needs at WTSA and other venues How is global discovery of authoritative identifiers and other identity resources going to occur GSC-12 resolution calls for an ITU global coordinating role across array of standards bodies Requirements produce numerous new and evolved Opportunities for business Actions for government Residual work on IdM aimed at Transitioning the work into all ITU-T Study Groups and ITU-D Dealing with objects and new NGN services Union 12